Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, Armando Solar-Lezama MIT CSAIL 24 th ACM SOSP (November, 2013) Best Paper
O UTLINE Introduction Model for Unstable Code Design & Implementation Evaluation 2013/11/26 A Seminar at Advanced Defense Lab 2
I NTRODUCTION The specifications of C-family languages designate certain code fragments as having undefined behavior. giving compilers the freedom to generate instructions Aiming for system programming, the specifications choose to trust programmers and assume that their code will never invoke undefined behavior. 2013/11/26 3 A Seminar at Advanced Defense Lab
U NDEFINED B EHAVIOR IN C p, q, p’: n-bit pointer x, y : n-bit integer a : array 2013/11/26 4 A Seminar at Advanced Defense Lab
C OMPILER O PTIMIZATION One way in which compilers exploit undefined behavior is to optimize a program under the assumption that the program NEVER invokes undefined behavior. Consequence: Origin program ≠ Optimized program We call such code optimization-unstable code, or just unstable code for short. 2013/11/26 5 A Seminar at Advanced Defense Lab
U NSTABLE C ODE E XAMPLE Vulnerability Note VU# (US-CERT) [link]link 2013/11/26 6 A Seminar at Advanced Defense Lab =>Compiler think: always false
U NSTABLE C ODE E XAMPLE ( CONT.) CVE [link]link Linux Kernel [LXR link]LXR link Programmer put the check at an improper position, but it can work /11/26 7 A Seminar at Advanced Defense Lab =>Compiler think: always false
Is this programmers’ fault? Poor understanding of unstable code is a major obstacle to reasoning about system behavior. However, these bugs are quite subtle, and understanding them requires detailed knowledge of the language specification. 2013/11/26 8 A Seminar at Advanced Defense Lab
Is this compilers’ fault? A story: GCC bug #30475 (2007/01/15) [link]link “This will create MAJOR SECURITY ISSUES in ALL MANNER OF CODE. I don’t care if your language lawyers tell you gcc is right.... FIX THIS! NOW!” A GCC user “I am not joking, the C standard explictly says signed integer overflow is undefined behavior.... GCC is not going to change.” A GCC developer 2013/11/26 9 A Seminar at Advanced Defense Lab
U NSTABLE C ODE T EST The default optimization level for release build is -O /11/26 10 A Seminar at Advanced Defense Lab
M ODEL FOR U NSTABLE C ODE 2013/11/26 11 A Seminar at Advanced Defense Lab
A PPROACH FOR I DENTIFYING U NSTABLE C ODE Stack does this using a two-phase scheme 1. Run optimizer O without taking advantage of undefined behavior, which resembles optimizations under C* 2. Run optimizer O again, this time taking advantage of undefined behavior, which resembles (more aggressive) optimizations under C. 2013/11/26 12 A Seminar at Advanced Defense Lab
W ELL - DEFINED P ROGRAM A SSUMPTION 2013/11/26 13 A Seminar at Advanced Defense Lab
E LIMINATING U NREACHABLE C ODE 2013/11/26 14 A Seminar at Advanced Defense Lab
S IMPLIFYING U NNECESSARY C OMPUTATION 2013/11/26 15 A Seminar at Advanced Defense Lab
S IMPLIFICATION O RACLE Boolean oracle: propose true and false in turn for a boolean expression, enumerating possible values Algebra oracle: propose to eliminate common terms on both sides of a comparison if one side is a subexpression of the other x + y y < /11/26 16 A Seminar at Advanced Defense Lab
L IMITATION It is possible to exploit the well-defined program assumption in other forms. 2013/11/26 17 A Seminar at Advanced Defense Lab
D ESIGN & I MPLEMENTATION Implement with LLVM + Boolector solver 2013/11/26 18 A Seminar at Advanced Defense Lab
C OMPILER F RONTEND To reduce false warnings, Stack ignores such compiler-generated code by tracking code origins, at the cost of missing possible bugs. 2013/11/26 19 A Seminar at Advanced Defense Lab
UB C ONDITION I NSERTION Stack inserts a special function call into the IR at the corresponding instruction void bug_on(bool expr) 2013/11/26 20 A Seminar at Advanced Defense Lab
S OLVER - BASED A LGORITHM To implement these algorithms, Stack consults the Boolector solver to decide satisfiability for elimination and simplification queries. But it is practically infeasible to precisely compute them for large programs. To address this challenge, Stack computes approximate queries by limiting the computation to a single function. With Tu and Padua’s algorithm 2013/11/26 21 A Seminar at Advanced Defense Lab
E VALUATION New bug: 160 (July 2012 March 2013) 2013/11/26 22 A Seminar at Advanced Defense Lab
A NALYSIS OF B UG R EPORTS Non-optimization bugs Urgent optimization bugs Time bombs Redundant code (false alarm) 2013/11/26 23 A Seminar at Advanced Defense Lab
A NALYSIS OF B UG R EPORTS ( CONT.) Non-optimization Bugs Example: PostgreSQL [link]link 2013/11/26 24 A Seminar at Advanced Defense Lab Time bomb!!
P RECISION Kerberos: 11 warning Developers accepted every patch false warning rate: 0/11 Postgres: STACK produced 68 warnings 9 patches accepted 29 patches in discussion: developers blamed compilers 26 time bombs 4 false warnings 2013/11/26 25 A Seminar at Advanced Defense Lab
P ERFORMANCE 64-bit Ubuntu (Linux) Intel Core i GHz 24GB memory Solver time out: 5s 2013/11/26 26 A Seminar at Advanced Defense Lab
P REVALENCE OF U NSTABLE C ODE All packages in Debian Wheezy archive: 17,432 Containing C/C++ code: 8,575 Containing unstable code: 3,471 (40%) 150 CPU day to analyze 2013/11/26 27 A Seminar at Advanced Defense Lab
P REVALENCE OF U NSTABLE C ODE ( CONT.) 2013/11/26 28 A Seminar at Advanced Defense Lab
C OMPLETENESS It is difficult to known precisely how much unstable code Stack would miss in general. We analyze what kind of unstable code Stack misses. A total of ten tests from real systems Result: 7/ /11/26 29 A Seminar at Advanced Defense Lab
Q & A 2013/11/26 A Seminar at Advanced Defense Lab 30